[libnftables PATCH 1/5] data_reg: xml: fix bytes movements

[libnftables PATCH 1/5] data_reg: xml: fix bytes movements

[Arturo Borrero]

There was bad bits movements and calcules when XML printing/parsing.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
---
 src/expr/data_reg.c |   12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/expr/data_reg.c b/src/expr/data_reg.c
index 74ebe76..7d26175 100644
--- a/src/expr/data_reg.c
+++ b/src/expr/data_reg.c
@@ -15,6 +15,7 @@
 #include <limits.h>
 #include <arpa/inet.h>
 #include <errno.h>
+#include <netinet/in.h>
 
 #include <libmnl/libmnl.h>
 #include <linux/netfilter.h>
@@ -205,7 +206,7 @@ static int nft_data_reg_value_xml_parse(union nft_data_reg *reg, char *xml)
 		reg->val[i] = utmp;
 	}
 
-	reg->len = sizeof(reg->val);
+	reg->len = len*sizeof(reg->val[0]);
 
 	mxmlDelete(tree);
 	return 0;
@@ -259,8 +260,9 @@ int nft_data_reg_value_snprintf_xml(char *buf, size_t size,
 				    union nft_data_reg *reg, uint32_t flags)
 {
 	int len = size, offset = 0, ret, i, j;
+	uint32_t be;
 	uint8_t *tmp;
-	int data_len = reg->len/sizeof(uint32_t);
+	int data_len = reg->len/sizeof(reg->val[0]);
 
 	ret = snprintf(buf, len, "<data_reg type=\"value\">");
 	SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
@@ -272,15 +274,17 @@ int nft_data_reg_value_snprintf_xml(char *buf, size_t size,
 		ret = snprintf(buf+offset, len, "<data%d>0x", i);
 		SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
 
-		tmp = (uint8_t *)&reg->val[i];
+		be = htonl(reg->val[i]);
+		tmp = (uint8_t *)&be;
 
-		for (j=0; j<sizeof(int); j++) {
+		for (j = 0; j < sizeof(uint32_t); j++) {
 			ret = snprintf(buf+offset, len, "%.02x", tmp[j]);
 			SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
 		}
 
 		ret = snprintf(buf+offset, len, "</data%d>", i);
 		SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
+
 	}
 
 	ret = snprintf(buf+offset, len, "</data_reg>");

[libnftables PATCH 2/5] rule: fix snprintf return value

[Arturo Borrero]

This cause some chained snprintf to fail.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
---
 src/rule.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/rule.c b/src/rule.c
index f0208d9..a91d21d 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -676,7 +676,7 @@ static int nft_rule_snprintf_xml(char *buf, size_t size, struct nft_rule *r,
 	ret = snprintf(buf+offset, len, "</rule>");
 	SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
 
-	return ret;
+	return offset;
 }
 
 static int nft_rule_snprintf_default(char *buf, size_t size, struct nft_rule *r, 
@@ -699,7 +699,7 @@ static int nft_rule_snprintf_default(char *buf, size_t size, struct nft_rule *r,
 		SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
 	}
 
-	return ret;
+	return offset;
 }
 
 int nft_rule_snprintf(char *buf, size_t size, struct nft_rule *r,

[libnftables PATCH 3/5] src: xml: set errno to EINVAL when invalid parsing

[Arturo Borrero]

This patch sets errno to EINVAL when the XML parsing fails due to a bad format, a missing node or something.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
---
 src/chain.c |  141 +++++++++++++++++++++++++----------------------------------
 src/rule.c  |  129 ++++++++++++++++++++++--------------------------------
 src/table.c |   58 ++++++++++--------------
 3 files changed, 137 insertions(+), 191 deletions(-)

diff --git a/src/chain.c b/src/chain.c
index 71d84a9..8dc9a49 100644
--- a/src/chain.c
+++ b/src/chain.c
@@ -467,73 +467,61 @@ static int nft_chain_xml_parse(struct nft_chain *c, char *xml)
 
 	/* Load the tree */
 	tree = mxmlLoadString(NULL, xml, MXML_OPAQUE_CALLBACK);
-	if (tree == NULL)
+	if (tree == NULL) {
+		errno = EINVAL;
 		return -1;
+	}
 
 	/* Validate this is a <chain> node */
-	if (strcmp(tree->value.opaque, "chain") != 0) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (strcmp(tree->value.opaque, "chain") != 0)
+		goto err;
 
 	/* Validate version */
-	if (mxmlElementGetAttr(tree, "version") == NULL) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (mxmlElementGetAttr(tree, "version") == NULL)
+		goto err;
+
 	tmp = strtoll(mxmlElementGetAttr(tree, "version"), &endptr, 10);
-	if (tmp == LLONG_MAX || *endptr || tmp != NFT_CHAIN_XML_VERSION) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (tmp == LLONG_MAX || *endptr || tmp != NFT_CHAIN_XML_VERSION)
+		goto err;
 
 	/* Get and set <chain name="xxx" ... >*/
-	if (mxmlElementGetAttr(tree, "name") == NULL) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (mxmlElementGetAttr(tree, "name") == NULL)
+		goto err;
+
 	strncpy(c->name, mxmlElementGetAttr(tree, "name"),
 		NFT_CHAIN_MAXNAMELEN);
 	c->flags |= (1 << NFT_CHAIN_ATTR_NAME);
 
 	/* Get and set <chain handle="x" ... >*/
-	if (mxmlElementGetAttr(tree, "handle") == NULL) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (mxmlElementGetAttr(tree, "handle") == NULL)
+		goto err;
 
 	utmp = strtoull(mxmlElementGetAttr(tree, "handle"), &endptr, 10);
-	if (utmp == UINT64_MAX || utmp < 0 || *endptr) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (utmp == UINT64_MAX || utmp < 0 || *endptr)
+		goto err;
 
 	c->handle = utmp;
 	c->flags |= (1 << NFT_CHAIN_ATTR_HANDLE);
 
 	/* Get and set <chain bytes="x" ... >*/
-	if (mxmlElementGetAttr(tree, "bytes") == NULL) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (mxmlElementGetAttr(tree, "bytes") == NULL)
+		goto err;
+
 	utmp = strtoull(mxmlElementGetAttr(tree, "bytes"), &endptr, 10);
-	if (utmp == UINT64_MAX || utmp < 0 || *endptr) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (utmp == UINT64_MAX || utmp < 0 || *endptr)
+		goto err;
+
 	c->bytes = utmp;
 	c->flags |= (1 << NFT_CHAIN_ATTR_BYTES);
 
 	/* Get and set <chain packets="x" ... > */
-	if (mxmlElementGetAttr(tree, "packets") == NULL) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (mxmlElementGetAttr(tree, "packets") == NULL)
+		goto err;
+
 	utmp = strtoull(mxmlElementGetAttr(tree, "packets"), &endptr, 10);
-	if (utmp == UINT64_MAX || utmp < 0 || *endptr) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (utmp == UINT64_MAX || utmp < 0 || *endptr)
+		goto err;
+
 	c->packets = utmp;
 	c->flags |= (1 << NFT_CHAIN_ATTR_PACKETS);
 
@@ -543,10 +531,8 @@ static int nft_chain_xml_parse(struct nft_chain *c, char *xml)
 
 	/* Get and set <type> */
 	node = mxmlFindElement(tree, tree, "type", NULL, NULL, MXML_DESCEND);
-	if (node == NULL) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (node == NULL)
+		goto err;
 
 	if (c->type)
 		free(c->type);
@@ -556,10 +542,9 @@ static int nft_chain_xml_parse(struct nft_chain *c, char *xml)
 
 	/* Get and set <table> */
 	node = mxmlFindElement(tree, tree, "table", NULL, NULL,	MXML_DESCEND);
-	if (node == NULL) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (node == NULL)
+		goto err;
+
 	if (c->table)
 		free(c->table);
 
@@ -568,15 +553,12 @@ static int nft_chain_xml_parse(struct nft_chain *c, char *xml)
 
 	/* Get and set <prio> */
 	node = mxmlFindElement(tree, tree, "prio", NULL, NULL, MXML_DESCEND);
-	if (node == NULL) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (node == NULL)
+		goto err;
+
 	tmp = strtoll(node->child->value.opaque, &endptr, 10);
-	if (tmp > INT32_MAX || tmp < INT32_MIN || *endptr) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (tmp > INT32_MAX || tmp < INT32_MIN || *endptr)
+		goto err;
 
 	memcpy(&c->prio, &tmp, sizeof(c->prio));
 	c->flags |= (1 << NFT_CHAIN_ATTR_PRIO);
@@ -587,51 +569,48 @@ static int nft_chain_xml_parse(struct nft_chain *c, char *xml)
 	/* Get and set <hooknum> */
 	node = mxmlFindElement(tree, tree, "hooknum", NULL, NULL,
 			       MXML_DESCEND);
-	if (node == NULL) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (node == NULL)
+		goto err;
+
 	utmp = strtoull(node->child->value.opaque, &endptr, 10);
-	if (utmp > UINT32_MAX || utmp < 0 || *endptr) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (utmp > UINT32_MAX || utmp < 0 || *endptr)
+		goto err;
 
 	memcpy(&c->hooknum, &utmp, sizeof(c->hooknum));
 	c->flags |= (1 << NFT_CHAIN_ATTR_HOOKNUM);
 
 	/* Get and set <policy> */
 	node = mxmlFindElement(tree, tree, "policy", NULL, NULL, MXML_DESCEND);
-	if (node == NULL) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (node == NULL)
+		goto err;
+
 	utmp = strtoull(node->child->value.opaque, &endptr, 10);
-	if (utmp > UINT32_MAX || utmp < 0 || *endptr) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (utmp > UINT32_MAX || utmp < 0 || *endptr)
+		goto err;
 
 	c->policy = (uint32_t)utmp;
 	c->flags |= (1 << NFT_CHAIN_ATTR_POLICY);
 
 	/* Get and set <family> */
 	node = mxmlFindElement(tree, tree, "family", NULL, NULL, MXML_DESCEND);
-	if (node == NULL) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (node == NULL)
+		goto err;
+
 	utmp = strtoull(node->child->value.opaque, &endptr, 10);
-	if (utmp > UINT8_MAX || utmp < 0 || *endptr) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (utmp > UINT8_MAX || utmp < 0 || *endptr)
+		goto err;
 
 	c->family = (uint32_t)utmp;
 	c->flags |= (1 << NFT_CHAIN_ATTR_FAMILY);
 
 	mxmlDelete(tree);
 	return 0;
+
+err:
+	/* The XML format is invalid */
+	errno = EINVAL;
+	mxmlDelete(tree);
+	return -1;
 #else
 	errno = EOPNOTSUPP;
 	return -1;
diff --git a/src/rule.c b/src/rule.c
index a91d21d..21593e3 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -452,46 +452,37 @@ static int nft_rule_xml_parse(struct nft_rule *r, char *xml)
 
 	/* Load the tree */
 	tree = mxmlLoadString(NULL, xml, MXML_OPAQUE_CALLBACK);
-	if (tree == NULL)
+	if (tree == NULL) {
+		errno = EINVAL;
 		return -1;
+	}
 
 	/* validate this is a <rule> node */
-	if (strcmp(tree->value.opaque, "rule") != 0) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (strcmp(tree->value.opaque, "rule") != 0)
+		goto err;
 
 	/* validate XML version <rule ... version=X ... > */
-	if (mxmlElementGetAttr(tree, "version") == NULL) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (mxmlElementGetAttr(tree, "version") == NULL)
+		goto err;
+
 	tmp = strtoll(mxmlElementGetAttr(tree, "version"), &endptr, 10);
-	if (tmp == LLONG_MAX || *endptr || tmp != NFT_RULE_XML_VERSION) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (tmp == LLONG_MAX || *endptr || tmp != NFT_RULE_XML_VERSION)
+		goto err;
 
 	/* get and set <rule ... family=X ... > */
-	if (mxmlElementGetAttr(tree, "family") == NULL) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (mxmlElementGetAttr(tree, "family") == NULL)
+		goto err;
 
 	tmp = strtoull(mxmlElementGetAttr(tree, "family"), &endptr, 10);
-	if (tmp > UINT8_MAX || tmp < 0 || *endptr) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (tmp > UINT8_MAX || tmp < 0 || *endptr)
+		goto err;
 
 	r->family = (uint8_t)tmp;
 	r->flags |= (1 << NFT_RULE_ATTR_FAMILY);
 
 	/* get and set <rule ... table=X ...> */
-	if (mxmlElementGetAttr(tree, "table") == NULL) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (mxmlElementGetAttr(tree, "table") == NULL)
+		goto err;
 
 	if (r->table)
 		free(r->table);
@@ -500,10 +491,8 @@ static int nft_rule_xml_parse(struct nft_rule *r, char *xml)
 	r->flags |= (1 << NFT_RULE_ATTR_TABLE);
 
 	/* get and set <rule ... chain=X ...> */
-	if (mxmlElementGetAttr(tree, "chain") == NULL) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (mxmlElementGetAttr(tree, "chain") == NULL)
+		goto err;
 
 	if (r->chain)
 		free(r->chain);
@@ -512,15 +501,12 @@ static int nft_rule_xml_parse(struct nft_rule *r, char *xml)
 	r->flags |= (1 << NFT_RULE_ATTR_CHAIN);
 
 	/* get and set <rule ... handle=X ...> */
-	if (mxmlElementGetAttr(tree, "handle") == NULL) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (mxmlElementGetAttr(tree, "handle") == NULL)
+		goto err;
+
 	tmp = strtoull(mxmlElementGetAttr(tree, "handle"), &endptr, 10);
-	if (tmp == UINT64_MAX || tmp < 0 || *endptr) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (tmp == UINT64_MAX || tmp < 0 || *endptr)
+		goto err;
 
 	r->handle = tmp;
 	r->flags |= (1 << NFT_RULE_ATTR_HANDLE);
@@ -528,15 +514,12 @@ static int nft_rule_xml_parse(struct nft_rule *r, char *xml)
 	/* get and set <rule_flags> */
 	node = mxmlFindElement(tree, tree, "rule_flags", NULL, NULL,
 			       MXML_DESCEND_FIRST);
-	if (node == NULL) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (node == NULL)
+		goto err;
+
 	tmp = strtoull(node->child->value.opaque, &endptr, 10);
-	if (tmp > UINT32_MAX || tmp < 0 || *endptr) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (tmp > UINT32_MAX || tmp < 0 || *endptr)
+		goto err;
 
 	r->rule_flags = (uint32_t)tmp;
 	r->flags |= (1 << NFT_RULE_ATTR_FLAGS);
@@ -544,15 +527,12 @@ static int nft_rule_xml_parse(struct nft_rule *r, char *xml)
 	/* get and set <compat_proto> */
 	node = mxmlFindElement(tree, tree, "compat_proto", NULL, NULL,
 			       MXML_DESCEND);
-	if (node == NULL) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (node == NULL)
+		goto err;
+
 	tmp = strtoull(node->child->value.opaque, &endptr, 10);
-	if (tmp > UINT32_MAX || tmp < 0 || *endptr) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (tmp > UINT32_MAX || tmp < 0 || *endptr)
+		goto err;
 
 	r->compat.proto = (uint32_t)tmp;
 	r->flags |= (1 << NFT_RULE_ATTR_COMPAT_PROTO);
@@ -560,15 +540,12 @@ static int nft_rule_xml_parse(struct nft_rule *r, char *xml)
 	/* get and set <compat_flags> */
 	node = mxmlFindElement(tree, tree, "compat_flags", NULL, NULL,
 			       MXML_DESCEND);
-	if (node == NULL) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (node == NULL)
+		goto err;
+
 	tmp = strtoull(node->child->value.opaque, &endptr, 10);
-	if (tmp > UINT32_MAX || tmp < 0 || *endptr) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (tmp > UINT32_MAX || tmp < 0 || *endptr)
+		goto err;
 
 	r->compat.flags = (uint32_t)tmp;
 	r->flags |= (1 << NFT_RULE_ATTR_COMPAT_FLAGS);
@@ -580,22 +557,16 @@ static int nft_rule_xml_parse(struct nft_rule *r, char *xml)
 		node = mxmlFindElement(node, tree, "expr", "type",
 				       NULL, MXML_DESCEND)) {
 
-		if (mxmlElementGetAttr(node, "type") == NULL) {
-			mxmlDelete(tree);
-			return -1;
-		}
+		if (mxmlElementGetAttr(node, "type") == NULL)
+			goto err;
 
 		ops = nft_expr_ops_lookup(mxmlElementGetAttr(node, "type"));
-		if (ops == NULL) {
-			mxmlDelete(tree);
-			return -1;
-		}
+		if (ops == NULL)
+			goto err;
 
 		e = nft_rule_expr_alloc(mxmlElementGetAttr(node, "type"));
-		if (e == NULL) {
-			mxmlDelete(tree);
-			return -1;
-		}
+		if (e == NULL)
+			goto err;
 
 		/* This is a hack for mxml to print just the current node */
 		save = node->next;
@@ -603,10 +574,8 @@ static int nft_rule_xml_parse(struct nft_rule *r, char *xml)
 
 		if (ops->xml_parse(e,
 				   mxmlSaveAllocString(node,
-						MXML_NO_CALLBACK)) != 0) {
-			mxmlDelete(tree);
-			return -1;
-		}
+						MXML_NO_CALLBACK)) != 0)
+			goto err;
 
 		nft_rule_add_expr(r, e);
 
@@ -616,6 +585,12 @@ static int nft_rule_xml_parse(struct nft_rule *r, char *xml)
 
 	mxmlDelete(tree);
 	return 0;
+
+err:
+	/* When the XML parsing is invalid */
+	errno = EINVAL;
+	mxmlDelete(tree);
+	return -1;
 #else
 	errno = EOPNOTSUPP;
 	return -1;
diff --git a/src/table.c b/src/table.c
index fd6ed5d..feb12a5 100644
--- a/src/table.c
+++ b/src/table.c
@@ -209,32 +209,26 @@ static int nft_table_xml_parse(struct nft_table *t, char *xml)
 
 	/* Load the tree */
 	tree = mxmlLoadString(NULL, xml, MXML_OPAQUE_CALLBACK);
-	if (tree == NULL)
+	if (tree == NULL) {
+		errno = EINVAL;
 		return -1;
+	}
 
 	/* Validate this is a <table> node */
-	if (strcmp(tree->value.opaque, "table") != 0) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (strcmp(tree->value.opaque, "table") != 0)
+		goto err;
 
 	/* Check the version of the XML */
-	if (mxmlElementGetAttr(tree, "version") == NULL) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (mxmlElementGetAttr(tree, "version") == NULL)
+		goto err;
 
 	stmp = strtoll(mxmlElementGetAttr(tree, "version"), &endptr, 10);
-	if (stmp == LLONG_MAX || *endptr || stmp != NFT_TABLE_XML_VERSION) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (stmp == LLONG_MAX || *endptr || stmp != NFT_TABLE_XML_VERSION)
+		goto err;
 
 	/* Get and set the name of the table */
-	if (mxmlElementGetAttr(tree, "name") == NULL) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (mxmlElementGetAttr(tree, "name") == NULL)
+		goto err;
 
 	if (t->name)
 		free(t->name);
@@ -248,16 +242,12 @@ static int nft_table_xml_parse(struct nft_table *t, char *xml)
 
 	/* Get the and set <family> node */
 	node = mxmlFindElement(tree, tree, "family", NULL, NULL, MXML_DESCEND);
-	if (node == NULL) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (node == NULL)
+		goto err;
 
 	tmp = strtoull(node->child->value.opaque, &endptr, 10);
-	if (tmp > UINT32_MAX || *endptr || tmp < 0) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (tmp > UINT32_MAX || *endptr || tmp < 0)
+		goto err;
 
 	t->family = (uint32_t)tmp;
 	t->flags |= (1 << NFT_TABLE_ATTR_FAMILY);
@@ -265,22 +255,24 @@ static int nft_table_xml_parse(struct nft_table *t, char *xml)
 	/* Get and set <table_flags> */
 	node = mxmlFindElement(tree, tree, "table_flags", NULL, NULL,
 			       MXML_DESCEND);
-	if (node == NULL) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (node == NULL)
+		goto err;
 
 	tmp = strtoull(node->child->value.opaque, &endptr, 10);
-	if (tmp > UINT32_MAX || *endptr || tmp < 0) {
-		mxmlDelete(tree);
-		return -1;
-	}
+	if (tmp > UINT32_MAX || *endptr || tmp < 0)
+		goto err;
 
 	t->table_flags = (uint32_t)tmp;
 	t->flags |= (1 << NFT_TABLE_ATTR_FLAGS);
 
 	mxmlDelete(tree);
 	return 0;
+
+err:
+	/* when the parsing fails */
+	errno = EINVAL;
+	mxmlDelete(tree);
+	return -1;
 #else
 	errno = EOPNOTSUPP;
 	return -1;

[libnftables PATCH 4/5] expr: xml: don't print target&match info

[Arturo Borrero]

As is not supported in parsing, don't print at all target&match <info> attribute.

However, I think this could be easily supported, with the drawback of having a XML file full of binary data.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
---
 src/expr/match.c  |   12 +-----------
 src/expr/target.c |   12 +-----------
 2 files changed, 2 insertions(+), 22 deletions(-)

diff --git a/src/expr/match.c b/src/expr/match.c
index edb78ea..4f8d8fc 100644
--- a/src/expr/match.c
+++ b/src/expr/match.c
@@ -245,22 +245,12 @@ static int nft_rule_expr_match_snprintf_xml(char *buf, size_t len,
 					    struct nft_expr_match *mt)
 {
 	int ret, size=len;
-	int i;
 	int offset = 0;
-	uint8_t *data = (uint8_t *)mt->data;
 
-	ret = snprintf(buf, len, "<name>%s</name><rev>%u</rev><info>0x",
+	ret = snprintf(buf, len, "<name>%s</name><rev>%u</rev>",
 				mt->name, mt->rev);
 	SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
 
-	for (i=0; i < mt->data_len; i++) {
-	        ret = snprintf(buf+offset, len, "%x", data[i] & 0xff);
-		SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
-	}
-
-	ret = snprintf(buf+offset, len, "</info>");
-	SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
-
 	return offset;
 }
 
diff --git a/src/expr/target.c b/src/expr/target.c
index 6652c47..bcdf034 100644
--- a/src/expr/target.c
+++ b/src/expr/target.c
@@ -249,22 +249,12 @@ int nft_rule_exp_target_snprintf_xml(char *buf, size_t len,
 				struct nft_expr_target *tg)
 {
 	int ret, size=len;
-	int i;
 	int offset = 0;
-	uint8_t *data = (uint8_t *)tg->data;
 
-	ret = snprintf(buf, len, "<name>%s</name><rev>%u</rev><info>0x",
+	ret = snprintf(buf, len, "<name>%s</name><rev>%u</rev>",
 			tg->name, tg->rev);
 	SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
 
-	for (i=0; i < tg->data_len; i++) {
-		ret = snprintf(buf+offset, len, "%x", data[i] & 0xff);
-		SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
-	}
-
-	ret = snprintf(buf+offset, len, "</info>");
-	SNPRINTF_BUFFER_SIZE(ret, size, len, offset);
-
 	return offset;
 }
 

[libnftables PATCH 5/5] examples: get XML ruleset

[Arturo Borrero]

This example code prints out the current ruleset in XML format.
In a near future, when sets are XML-handled this example will be updated.

Take this as a proposal. There are many ways to print out the ruleset in XML.
 * Nesting or not rules in each chain.
 * Nesting or not each chain in his corresponding table.
 * Using other naming scheme for top level elements, like '<nftables>' and/or '<ruleset>'.

Also note that ATM there is no implementation to parse the whole ruleset but objects (table/chain/rule).

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
---
 examples/Makefile.am           |    4 +
 examples/nft-ruleset-xml-get.c |  265 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 269 insertions(+)
 create mode 100644 examples/nft-ruleset-xml-get.c

diff --git a/examples/Makefile.am b/examples/Makefile.am
index dcf798a..49488b8 100644
--- a/examples/Makefile.am
+++ b/examples/Makefile.am
@@ -13,6 +13,7 @@ check_PROGRAMS = nft-table-add		\
 		 nft-rule-xml-add	\
 		 nft-rule-del		\
 		 nft-rule-get		\
+		 nft-ruleset-xml-get	\
 		 nft-events		\
 		 nft-set-add		\
 		 nft-set-get		\
@@ -61,6 +62,9 @@ nft_rule_del_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} ${LIBXML_LIBS}
 nft_rule_get_SOURCES = nft-rule-get.c
 nft_rule_get_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} ${LIBXML_LIBS}
 
+nft_ruleset_xml_get_SOURCES = nft-ruleset-xml-get.c
+nft_ruleset_xml_get_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} ${LIBXML_LIBS}
+
 nft_events_SOURCES = nft-events.c
 nft_events_LDADD = ../src/libnftables.la ${LIBMNL_LIBS} ${LIBXML_LIBS}
 
diff --git a/examples/nft-ruleset-xml-get.c b/examples/nft-ruleset-xml-get.c
new file mode 100644
index 0000000..b93e55d
--- /dev/null
+++ b/examples/nft-ruleset-xml-get.c
@@ -0,0 +1,265 @@
+/*
+ * (C) 2013 Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ */
+
+#define SNPRINTF_BUFFER_SIZE(ret, size, len, offset)	\
+	size += ret;					\
+	if (ret > len)					\
+		ret = len;				\
+	offset += ret;					\
+	len -= ret;
+
+#include <stdlib.h>
+#include <time.h>
+#include <string.h>
+#include <netinet/in.h>
+
+#include <linux/netfilter/nf_tables.h>
+
+#include <libmnl/libmnl.h>
+#include <libnftables/table.h>
+#include <libnftables/chain.h>
+#include <libnftables/rule.h>
+#include <libnftables/set.h>
+
+struct printdata {
+	char *buf;
+	int ret;
+	long int size;
+	int len;
+	int offset;
+} ;
+
+static int table_cb(const struct nlmsghdr *nlh, void *data)
+{
+	struct nft_table *t;
+	struct printdata *p = (struct printdata *)data;
+
+	t = nft_table_alloc();
+	if (t == NULL) {
+		perror("OOM");
+		goto err;
+	}
+
+	if (nft_table_nlmsg_parse(nlh, t) < 0) {
+		perror("nft_table_nlmsg_parse");
+		goto err_free;
+	}
+
+	p->ret = nft_table_snprintf(p->buf+p->offset, p->size, t, NFT_TABLE_O_XML, 0);
+	SNPRINTF_BUFFER_SIZE(p->ret, p->size, p->len, p->offset);
+
+err_free:
+	nft_table_free(t);
+err:
+	return MNL_CB_OK;
+}
+
+static int chain_cb(const struct nlmsghdr *nlh, void *data)
+{
+	struct nft_chain *c;
+	struct printdata *p = (struct printdata *)data;
+
+	c = nft_chain_alloc();
+	if (c == NULL) {
+		perror("OOM");
+		goto err;
+	}
+
+	if (nft_chain_nlmsg_parse(nlh, c) < 0) {
+		perror("nft_chain_nlmsg_parse");
+		goto err_free;
+	}
+
+	p->ret = nft_chain_snprintf(p->buf+p->offset, p->size, c, NFT_CHAIN_O_XML, 0);
+	SNPRINTF_BUFFER_SIZE(p->ret, p->size, p->len, p->offset);
+
+err_free:
+	nft_chain_free(c);
+err:
+	return MNL_CB_OK;
+}
+
+static int rule_cb(const struct nlmsghdr *nlh, void *data)
+{
+	struct nft_rule *r;
+	struct printdata *p = (struct printdata *)data;
+
+	r = nft_rule_alloc();
+	if (r == NULL) {
+		perror("OOM");
+		goto err;
+	}
+
+	if (nft_rule_nlmsg_parse(nlh, r) < 0) {
+		perror("nft_rule_nlmsg_parse");
+		goto err_free;
+	}
+
+	p->ret = nft_rule_snprintf(p->buf+p->offset, p->size, r, NFT_RULE_O_XML, 0);
+	SNPRINTF_BUFFER_SIZE(p->ret, p->size, p->len, p->offset);
+
+err_free:
+	nft_rule_free(r);
+err:
+	return MNL_CB_OK;
+}
+
+static void get_table(struct mnl_socket *nl, uint16_t family, struct printdata *p)
+{
+	int ret;
+	char buf[MNL_SOCKET_BUFFER_SIZE];
+	int seq = time(NULL);
+	struct nlmsghdr *nlh;
+	uint32_t portid = mnl_socket_get_portid(nl);
+
+	nlh = nft_table_nlmsg_build_hdr(buf, NFT_MSG_GETTABLE, family,
+					NLM_F_DUMP, seq);
+
+	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
+		perror("mnl_socket_send");
+		exit(EXIT_FAILURE);
+	}
+
+	ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+	while (ret > 0) {
+		ret = mnl_cb_run(buf, ret, seq, portid, table_cb, p);
+		if (ret <= 0)
+			break;
+		ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+	}
+	if (ret == -1) {
+		perror("error");
+		exit(EXIT_FAILURE);
+	}
+}
+
+static void get_chain(struct mnl_socket *nl, uint16_t family, struct printdata *p)
+{
+	int ret;
+	char buf[MNL_SOCKET_BUFFER_SIZE];
+	int seq = time(NULL);
+	struct nlmsghdr *nlh;
+	uint32_t portid = mnl_socket_get_portid(nl);
+
+	nlh = nft_chain_nlmsg_build_hdr(buf, NFT_MSG_GETCHAIN, family,
+					NLM_F_DUMP, seq);
+
+	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
+		perror("mnl_socket_send");
+		exit(EXIT_FAILURE);
+	}
+
+	ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+	while (ret > 0) {
+		ret = mnl_cb_run(buf, ret, seq, portid, chain_cb, p);
+		if (ret <= 0)
+			break;
+		ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+	}
+	if (ret == -1) {
+		perror("error");
+		exit(EXIT_FAILURE);
+	}
+}
+
+static void get_rule(struct mnl_socket *nl, uint16_t family, struct printdata *p)
+{
+	int ret;
+	char buf[MNL_SOCKET_BUFFER_SIZE];
+	int seq = time(NULL);
+	struct nlmsghdr *nlh;
+	uint32_t portid = mnl_socket_get_portid(nl);
+
+	nlh = nft_chain_nlmsg_build_hdr(buf, NFT_MSG_GETRULE, family,
+					NLM_F_DUMP, seq);
+
+	if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) {
+		perror("mnl_socket_send");
+		exit(EXIT_FAILURE);
+	}
+
+	ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+	while (ret > 0) {
+		ret = mnl_cb_run(buf, ret, seq, portid, rule_cb, p);
+		if (ret <= 0)
+			break;
+		ret = mnl_socket_recvfrom(nl, buf, sizeof(buf));
+	}
+	if (ret == -1) {
+		perror("error");
+		exit(EXIT_FAILURE);
+	}
+}
+
+int main(int argc, char *argv[])
+{
+	struct mnl_socket *nl;
+	char printbuf[1000000];
+	struct printdata p;
+	p.buf = printbuf;
+	p.size = sizeof(printbuf);
+	p.len = p.size;
+	p.offset = 0;
+
+	nl = mnl_socket_open(NETLINK_NETFILTER);
+	if (nl == NULL) {
+		perror("mnl_socket_open");
+		exit(EXIT_FAILURE);
+	}
+
+	if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) {
+		perror("mnl_socket_bind");
+		exit(EXIT_FAILURE);
+	}
+
+	p.ret = snprintf(p.buf, p.size, "<nftables>");
+	SNPRINTF_BUFFER_SIZE(p.ret, p.size, p.len, p.offset);
+
+	p.ret = snprintf(p.buf+p.offset, p.size, "<ruleset family=\"AF_BRIDGE\">");
+	SNPRINTF_BUFFER_SIZE(p.ret, p.size, p.len, p.offset);
+
+	/*Get Bridge ruleset*/
+	get_table(nl, AF_BRIDGE, &p);
+	get_chain(nl, AF_BRIDGE, &p);
+	get_rule(nl, AF_BRIDGE, &p);
+
+	p.ret = snprintf(p.buf+p.offset, p.size, "</ruleset>");
+	SNPRINTF_BUFFER_SIZE(p.ret, p.size, p.len, p.offset);
+
+	p.ret = snprintf(p.buf+p.offset, p.size, "<ruleset family=\"AF_INET\">");
+	SNPRINTF_BUFFER_SIZE(p.ret, p.size, p.len, p.offset);
+
+	/*Get IPv4 ruleset*/
+	get_table(nl, AF_INET, &p);
+	get_chain(nl, AF_INET, &p);
+	get_rule(nl, AF_INET, &p);
+
+	p.ret = snprintf(p.buf+p.offset, p.size, "</ruleset>");
+	SNPRINTF_BUFFER_SIZE(p.ret, p.size, p.len, p.offset);
+
+	p.ret = snprintf(p.buf+p.offset, p.size, "<ruleset family=\"AF_INET6\">");
+	SNPRINTF_BUFFER_SIZE(p.ret, p.size, p.len, p.offset);
+
+	/*Get IPv6 ruleset*/
+	get_table(nl, AF_INET6, &p);
+	get_chain(nl, AF_INET6, &p);
+	get_rule(nl, AF_INET6, &p);
+
+	p.ret = snprintf(p.buf+p.offset, p.size, "</ruleset>");
+	SNPRINTF_BUFFER_SIZE(p.ret, p.size, p.len, p.offset);
+
+	p.ret = snprintf(p.buf+p.offset, p.size, "</nftables>");
+	SNPRINTF_BUFFER_SIZE(p.ret, p.size, p.len, p.offset);
+
+	printf("%s\n", printbuf);
+
+	mnl_socket_close(nl);
+	return EXIT_SUCCESS;
+}

Re: [libnftables PATCH 2/5] rule: fix snprintf return value

[Pablo Neira Ayuso]

On Mon, Jun 03, 2013 at 10:44:52PM +0200, Arturo Borrero wrote:
> This cause some chained snprintf to fail.

Applied, thanks.

Re: [libnftables PATCH 3/5] src: xml: set errno to EINVAL when invalid parsing

[Pablo Neira Ayuso]

On Mon, Jun 03, 2013 at 10:44:54PM +0200, Arturo Borrero wrote:
> This patch sets errno to EINVAL when the XML parsing fails due to a bad format, a missing node or something.

I like this patch but it doesn't apply cleanly without the versioning
stuff.

Since the versioning looks more tricky, can you rebase this patch upon
the current tree and resend?

Thanks.